List decoding of RM(1,m) codes and Multi-linear Power Analysis - PowerPoint PPT Presentation

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael Fourquet , Grigory Kabatiansky , Pierre Loidreau , Thomas Roche , C´ edric Tavernier University of Riverside, CA, USA. Research institute IPPI, Moscow, Russia. University Paris VIII, Paris, France. CELAR, Bruz Laboratoire LIG, Grenoble, France. Communications and Systems, Le Plessis Robinson, France. 29 mai 2009

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Plan 1 List decoding of the First order Reed-Muller codes Reed-Muller codes List Decoding Algorithm Complexity Behaviour 2 Application to cryptanalysis Approximation of a bloc cipher 3 Power Analysis attacks overview 4 Countermeasures 5 (Multi-)Linear Power Analysis Attacks Practical Setup 6 Results and Perspectives Simulations The dpa-contest traces Conclusion and Open perspectives

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Plan 1 List decoding of the First order Reed-Muller codes Reed-Muller codes List Decoding Algorithm Complexity Behaviour 2 Application to cryptanalysis Approximation of a bloc cipher 3 Power Analysis attacks overview 4 Countermeasures 5 (Multi-)Linear Power Analysis Attacks Practical Setup 6 Results and Perspectives Simulations The dpa-contest traces Conclusion and Open perspectives

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Reed-Muller codes Reed-Muller code properties Definition of RM (1 , m ) RM (1 , m ) = { f ∈ GF (2) (1) [ x 1 , x 2 , · · · , x m ] } ; Usual representation : ( f (0) , f (1) , · · · , f (2 m − 1)) ; Boolean representation : f = f 1 x 1 ⊕ f 2 x 2 ⊕ · · · ⊕ f m x m code of lenght n = 2 m and minimal distance d = n / 2. Classical Problem Given a Boolean function g , we want to construct the list { f ∈ RM (1 , m ) | d H ( f , g ) ≤ n (1 / 2 − ǫ ) } , which is equivalent to x ∈ GF (2) m ( − 1) f ( x ) ⊕ g ( x ) ≥ 2 ǫ n } . L g ( ǫ ) = { f ∈ RM (1 , m ) | l ( g ) ( f ) = � Johnson Bound 1 In fact � L g ( ǫ ) � ≤ 4 ǫ 2

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA List Decoding Algorithm List Decoding Algorithms A simple idea r ∈ GF (2) i ( − 1) g ( r , s ) ⊕ f ( i ) ( r ) | where 2 ǫ n ≤ | l ( g ) ( f ) | ≤ s ∈ GF (2) m − i | � � f ( i ) = f 1 x 1 ⊕ · · · ⊕ f i x i . Screnning process : we suggest f i and we check if the inequality is satisfied. ⇒ L ( i ) r ∈ GF (2) i ( − 1) g ( r , s ) ⊕ f ( r ) | ≥ 2 ǫ n } . g ( ǫ ) = { f ∈ RM (1 , i ) | � � | s In fact M = � L ( i ) 4 ǫ 2 . With E = L ( i ) 1 g ( ǫ ) � ≤ g ( ǫ ) r ∈ GF (2) i ( − 1) g ( r , s ) ⊕ a ( i ) ( r ) ⊕ g ( r , s ) ⊕ b ( i ) ( r ) | ≤ n . 4 n ǫ 2 M ≤ � � � � | a ∈ E b ∈ E s

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Complexity Complexity Worst case complexity The complexity of this algorithm is in O ( n log 2 2 ( ǫ )) [I Du 07]. The complexity of the prob. version is in O ( m 2 /ǫ 6 ) [Kaba 04]. The size of the result can be of size m / 2 ǫ 2 , thus optimal complexity could be in O ( m /ǫ 2 ). Optimal complexity In fact Goldreich and Levin algorithm : O ( m /ǫ 4 ). I. Dumer, G. Kabatiansky and C. Tavernier, not yet published : O ( m /ǫ 2 ).

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Behaviour Behaviour log 2 � L ( i ) g ( ǫ ) � ✻ log 2 (1 / 4 ǫ 2 ) �❍ ❍ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ � ❝ ❈ � ❈ � ❈ � ❝ ❈ � ❈ � ❈ � ❈ � ❈ ❈ � ❝ ❏ � ❏ � ❏ � ❏ � ❏ ❝ ✲ ❝ ❝ log 2 (1 /ǫ 2 ) i -step

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Behaviour Improvement and complexity Idea Computing the first steps by a FFT. Complexity of the log 2 ( c /ǫ 2 ) first steps is in O ( ǫ − 4 log 2 (1 /ǫ 2 )) A complexity in O ( m /ǫ 2 ) should improve pratically the former algorithms.

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Approximation of a bloc cipher Approximation of a bloc cipher Analyzing a problem A block cipher f can be seen as a vectorial function f : GF (2) l × GF (2) k �→ GF (2) l . For linear cryptanalysis, we have to find relation � α, X � ⊕ � β, f ( X , K ) � ⊕ � µ, K � = 0 that hold with the highest probability as possible 1 / 2 + ǫ . An interpretation of the problem By fixing β , we fall in a problem list decoding of the first order Reed-Muller code, we have to decode the noisy codeword � β, f ( X , K ) � .

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Approximation of a bloc cipher Results for 8 rounds of DES Bias × 10 4 Linear Combination − 2 . 49 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 31] K [4 , 9 , 13 , 31 , 33 , 41 , 44 , 52 , 54] ⊕ 4 . 86 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 27 , 31] K [4 , 9 , 13 , 31 , 33 , 41 , 44 , 47 , 52 , 54] ⊕ − 4 . 68 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 28] K [4 , 9 , 15 , 31 , 33 , 41 , 44 , 52 , 54] ⊕ 4 . 81 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 27 , 28] K [4 , 9 , 15 , 31 , 33 , 41 , 44 , 47 , 52 , 54] ⊕ − 2 . 18 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 27 , 28 , 29 , 31] K [9 , 13 , 15 , 31 , 33 , 41 , 44 , 47 , 52 , 54] ⊕ − 3 . 67 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 27 , 28 , 31] K [4 , 9 , 13 , 15 , 31 , 33 , 41 , 44 , 47 , 52 , 54] ⊕ − 4 . 59 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 30] K [4 , 9 , 30 , 31 , 33 , 41 , 44 , 52 , 54] ⊕ 2 . 63 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 27 , 30] K [4 , 9 , 30 , 31 , 33 , 41 , 44 , 47 , 52 , 54] ⊕ 2 . 3 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 29 , 30 , 31] K [9 , 13 , 30 , 31 , 33 , 41 , 44 , 52 , 54] ⊕ 2 . 69 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 27 , 29 , 30 , 31] K [9 , 13 , 30 , 31 , 33 , 41 , 44 , 47 , 52 , 54] ⊕ 3 . 77 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 30 , 31] ⊕ K [4 , 9 , 13 , 30 , 31 , 33 , 41 , 44 , 52 , 54] 3 . 23 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 27 , 30 , 31] ⊕ K [4 , 9 , 13 , 30 , 31 , 33 , 41 , 44 , 47 , 52 , 54] 2 . 43 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 27 , 28 , 29 , 30] ⊕ K [9 , 15 , 30 , 31 , 33 , 41 , 44 , 47 , 52 , 54] − 3 . 33 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 28 , 30] ⊕ K [4 , 9 , 15 , 30 , 31 , 33 , 41 , 44 , 52 , 54] − 3 . 13 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 28 , 29 , 30 , 31] ⊕ K [9 , 13 , 15 , 30 , 31 , 33 , 41 , 44 , 52 , 54] 4 . 52 P H [15] ⊕ P L [0 , 7 , 18 , 24 , 28 , 30 , 31] ⊕ K [4 , 9 , 13 , 15 , 30 , 31 , 33 , 41 , 44 , 52 , 54] 2 . 05 P H [15] ⊕ P L [7 , 18 , 24 , 27 , 31] ⊕ K [4 , 9 , 13 , 31 , 33 , 41 , 44 , 47 , 52] 2 . 48 P H [15] ⊕ P L [7 , 18 , 24 , 27 , 28 , 30 , 31] ⊕ K [4 , 9 , 13 , 15 , 30 , 31 , 33 , 41 , 44 , 47 , 52] 4 . 82 P H [15] ⊕ P L [7 , 18 , 24 , 31] ⊕ K [4 , 9 , 13 , 31 , 33 , 41 , 44 , 52] 2 . 05 P H [15] ⊕ P L [7 , 18 , 24 , 27 , 31] ⊕ K [4 , 9 , 13 , 31 , 33 , 41 , 44 , 47 , 52] 2 . 49 P H [15] ⊕ P L [7 , 18 , 24 , 28 , 29 , 31] ⊕ K [9 , 13 , 15 , 31 , 33 , 41 , 44 , 52] − 3 . 4 P H [15] ⊕ P L [7 , 18 , 24 , 27 , 28 , 31] ⊕ K [4 , 9 , 13 , 15 , 31 , 33 , 41 , 44 , 47 , 52] 3 . 55 P H [15] ⊕ P L [7 , 18 , 24 , 29 , 30] ⊕ K [9 , 30 , 31 , 33 , 41 , 44 , 52] − 2 . 31 P H [15] ⊕ P L [7 , 18 , 24 , 27 , 30] K [4 , 9 , 30 , 31 , 33 , 41 , 44 , 47 , 52] ⊕ 2 . 28 P H [15] ⊕ P L [7 , 18 , 24 , 27 , 28 , 29 , 30] K [9 , 15 , 30 , 31 , 33 , 41 , 44 , 47 , 52] ⊕ 5 . 83 P H [15] ⊕ P L [7 , 18 , 24 , 27 , 28 , 29 , 30 , 31] K [9 , 13 , 15 , 30 , 31 , 33 , 41 , 44 , 47 , 52] ⊕ Tab. : Ciphertext bits combination : C L [12 , 16] ⊕ C H [7 , 18 , 24]

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Approximation of a bloc cipher Soft information on the key We remark that we have a soft information on certain point of the linear function H ( X ) = K 4 X 1 + ( K 9 + K 31 + K 33 + K 41 + K 44 + K 52 ) X 2 + K 13 X 3 + K 15 X 4 + K 47 X 5 + K 54 X 6 Given a sample of ( X , f ( X , K )), let s 0 ( i ) = # { X � H ( λ i ) = 0 } and s 1 ( i ) = # { X � H ( λ i ) = 1 } . � � � � 1 / 2 − ǫ i 1 / 2+ ǫ i Let y ( λ i ) = s 0 ( i ) log 2 + s 1 ( i ) log 2 1 / 2+ ǫ i 1 / 2 − ǫ i If λ does not correspond to a obtained relation, we set y ( λ ) = 0 Thus we have to decode the vector ( y ( λ )) λ λ y ( λ )( − 1) H ( λ ) is max. ⇒ Determine H s.t. � We reconstruct 6 bits of information with a complexity ≈ 2 20